cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1389
Views
0
Helpful
4
Replies

Nexus 7k and Cisco ACS 5.4 RBAC

Tuyen Nguyen
Beginner
Beginner

Greetings

I am trying to provide limited access on Nexus 7k using ACS 5.4 via TACACS.  I used the following in my shell profile

 

ATTRIBUTE:  cisco-av-pair

REQUIREMENT:  mandatory (even tried optional)

VALUE:  shell:roles="network-operator"

 

Everything seems to work, but I cannot ping/traceroute and receive this error, from the Nexus 7k.

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

 

4 Replies 4

edwjames
Participant
Participant

Hey,

Could you share the AAA configuration on the Nexus?

 

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Sure

aaa authentication login default group CORP_ACS
aaa authentication login console local
aaa authorization commands default group CORP_ACS local
aaa accounting default group CORP_ACS
aaa authentication login error-enable

 

aaa group server tacacs+ CORP_ACS
    server x.x.x.x
    server x.x.x.x
    use-vrf management

Hi Tony,

You should not have command authorization when you use RBAC.

Kindly remove: aaa authorization commands default group CORP_ACS local

and check again.

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Naveen Kumar
Enthusiast
Enthusiast

ref:

http://www.hellanetwork.com/2013/06/nx-os-security.html

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers